Page Loader
AbstractEmu Android malware can root your device, lock you out
Android’s latest AbstractEmu malware can inconspicuously root your device; Here’s how to stay safe

AbstractEmu Android malware can root your device, lock you out

Oct 31, 2021
06:39 pm

What's the story

Security researchers at the Lookout Threat Lab have alerted app stores and the general public of an Android malware dubbed AbstractEmu masquerading as a fully functional security, utility, or privacy app. The malware gains unauthorized root access to the victim's device and can lock them out of their device, install other malware, and access all the sensor data and stored information.

Rampant

Major third-party app stores also found distributing the malware

In a blog post, Lookout explained that the malware was spreading through 19 apps on the Google Play Store, Amazon Appstore, and the Samsung Galaxy Store besides third-party app stores such as APKPure and Aptoide, among others. Seven of these apps contained rooting functionality. An app called Lite Launcher was downloaded 10,000+ times from the Play Store before Google booted it upon Lookout's request.

Motive

AbstractEmu could be work of sophisticated group with financial motivation

Lookout concluded that it couldn't identify the bad actors behind the malware. However, it said the hackers seemed to be "a well-resourced group with financial motivation" identifiable by their sophisticated "use of burner emails, names, phone numbers, and pseudonyms." Additionally, Lookout's Kristina Balaam and Paul Shunk remarked that AbstractEmu's discovery is significant because widely distributed malware with root capability is a rarity now.

Dangers

AbstractEmu uses a three-stage infection process to gain root access

The AbstractEmu malware is dangerous because users may inadvertently install it assuming it would work as a harmless app. On the surface, infected apps do work normally but unbeknown to the user, they trigger a three-stage infection process. Eventually, spyware, disguised as "Setting Storage" storage manager, is installed with root access. This can access the victim's contacts, call logs, messages, location, camera, and microphone.

More perils

Despite dangerous root access, malware's end goal remains unknown

Thanks to the aforementioned root access, the spyware effectively has more access to the victim's device than the victim themself. Bad actors could lock victims out, set malware to draw over other apps, capture banking screenshots, view notifications, record screen activity, and disable Google's Play Protect service. The malware's capabilities exceed those needed for banking scams and premium service scams like other modern malware.

Safety first

Ensure you're running latest Android security patch to stay safe

To stay protected from the AbstractEmu malware, immediately update the Android version your phone is running on. All the vulnerabilities used for the attack were reportedly patched as of the official March 2020 Android security update. Additionally, steer clear of third-party app stores unless you are confident. Moreover, if you spot an app delisted from the Play Store, promptly uninstall it from your device.